IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-deprecate-08.txt

Sean Turner <sean@sn3rd.com> Thu, 09 September 2021 18:12 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6BC43A08D9 for <tls@ietfa.amsl.com>; Thu, 9 Sep 2021 11:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJa5_8qdPhhK for <tls@ietfa.amsl.com>; Thu, 9 Sep 2021 11:12:35 -0700 (PDT)
Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7434E3A08D7 for <tls@ietf.org>; Thu, 9 Sep 2021 11:12:35 -0700 (PDT)
Received: by mail-qv1-xf33.google.com with SMTP id z2so1721448qvl.10 for <tls@ietf.org>; Thu, 09 Sep 2021 11:12:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Dvmh6rAUIyRXcnoYhjO8HVp81cK8aHeMLIx2oU5uW38=; b=h3qgOvnf+Iak+2qeM4KrIHqmUDzip9SfyH/H5GY3aKpAIeiegXlAmVGfzHVxmTgCA9 4msB6EjWdKKMhTBFuQhKPNWzSY1WgDQytpSa42T/tNWy2ER1T1zKVKhHkknxbLkTeYLL c8f7StHaRn+DG+vY6cWCwGUXlH2u2kJqkZkiA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Dvmh6rAUIyRXcnoYhjO8HVp81cK8aHeMLIx2oU5uW38=; b=dYE3U5GadlWDCp3Vo+8vVYooO40GNsGWseUswhDL1vu8jGsnOySsbrbclcGtPMaSJU S63xqkZItJr4bBv7juiNDQ9liHvMmc9BrqSJAYsRg5pJTXA3wayQFuXPdHnlQ3hcu1gE GKUmVJjhTTr6LmAvEMOc5jRgh2d2T/z0f8gEsKQOx+hAiCumU/pUuWeQkAsRRhSnsHpL ozenkcpIhhmZJEnD5gGoiVQ3AZs70wmb89MLBAcHFE73YgoQWn0n+PmxP5gpxbs6Ms4d /U7JAZUyFcraSv2IS1m2/yVh8FKuJ8Ie3uhJ+xPQ0dFKvS1+7dGJ/n0HixeISLipnqaZ suJQ==
X-Gm-Message-State: AOAM531c2D0OHEs90oo9UYTQ8lyhbqeGXpeLowGZ7Itqz14Cg9EM/3Dg 9HJ9DuxLMLt73B2uE21p8DrkPQ==
X-Google-Smtp-Source: ABdhPJxQL5mw8bat8/SwgR4w5GhnZjIRJw9H0wyjbP8jltP9nE3zOEE8mxtqQ6jMCGHHd4cfYHuIxA==
X-Received: by 2002:ad4:4f31:: with SMTP id fc17mr4255404qvb.10.1631211153635; Thu, 09 Sep 2021 11:12:33 -0700 (PDT)
Received: from smtpclient.apple (pool-71-178-177-131.washdc.fios.verizon.net. [71.178.177.131]) by smtp.gmail.com with ESMTPSA id q14sm1774022qkl.44.2021.09.09.11.12.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Sep 2021 11:12:32 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAF8qwaBQdw5m7BAqaVL7hw9_1gDrw8=6uZSZfJ2BmzaOBpyY9g@mail.gmail.com>
Date: Thu, 09 Sep 2021 14:12:31 -0400
Cc: TLS List <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <25F5F4EE-7777-4C7C-8218-938392A59A5E@sn3rd.com>
References: <163068481195.6396.4015668882511523788@ietfa.amsl.com> <6f0942ee-e946-48fb-96db-1fe35d2c1d46@redhat.com> <CAF8qwaBQdw5m7BAqaVL7hw9_1gDrw8=6uZSZfJ2BmzaOBpyY9g@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>, Hubert Kario <hkario@redhat.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rSbXvNPhmr27z0HOBzwv6x0j1mI>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-deprecate-08.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2021 18:12:41 -0000

> On Sep 4, 2021, at 17:45, David Benjamin <davidben@chromium.org> wrote:
> 
> On Fri, Sep 3, 2021 at 1:24 PM Hubert Kario <hkario@redhat.com> wrote:
> On Friday, 3 September 2021 18:00:12 CEST, internet-drafts@ietf.org wrote:
> > A New Internet-Draft is available from the on-line 
> > Internet-Drafts directories.
> > This draft is a work item of the Transport Layer Security WG of the IETF.
> >
> >         Title           : Deprecating MD5 and SHA-1 signature 
> > hashes in (D)TLS 1.2
> >         Authors         : Loganaden Velvindron
> >                           Kathleen Moriarty
> >                           Alessandro Ghedini
> >       Filename        : draft-ietf-tls-md5-sha1-deprecate-08.txt
> >       Pages           : 6
> >       Date            : 2021-09-03
> >
> > Abstract:
> >    The MD5 and SHA-1 hashing algorithms are increasingly vulnerable to
> >    attack and this document deprecates their use in TLS 1.2 digital
> >    signatures.  However, this document does not deprecate SHA-1 in HMAC
> >    for record protection.  This document updates RFC 5246.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/
> >
> > There is also an htmlized version available at:
> > https://datatracker.ietf.org/doc/html/draft-ietf-tls-md5-sha1-deprecate-08
> 
> >   Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest
> >   messages.
> 
> >    Clients MUST NOT include MD5 and SHA-1 in CertificateVerify messages.
> >   If a server receives a CertificateVerify message with MD5 or SHA-1 it
> >   MUST abort the connection with handshake_failure or
> >   insufficient_security alert.
> 
> As written, this would make already existing implementations not RFC 
> compliant
> when they are configured to not support SHA-1.
> 
> RFC5246 requires the server to abort with illegal_parameter if the
> CV included an algorithm that wasn't advertised in CR.
> 
> Ah, good catch. There's also some odd asymmetry here. Section 4 talks about a server being unable to *send* a ServerKeyExchange (and uses the correct alerts). It says nothing about the client *receiving* an invalid (by ClientHello) ServerKeyExchange which is, as in the case you describe, an illegal_parameter. Meanwhile, Section 5 talks about the server *receiving* an invalid (by CertificateRequest) CertificateVerify, and with the wrong alerts. It says nothing about the client being unable to *send* a CertificateVerify.
> 
> I don't feel very strongly about whether we talk about sending, receiving, or both, for each of these messages. But we should be consistent and use the right alerts. (Or we could just talk about preferences and let the message behavior fall out of that.)

I think what might solve this is the following (I just included all of the text with 2119-language because there isn’t much of it):

2.  Signature Algorithms

   Clients MUST include the signature_algorithms extension.  Clients
   MUST NOT include MD5 and SHA-1 in this extension.

3.  Certificate Request

   Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest
   messages.

4.  Server Key Exchange

   Servers MUST NOT include MD5 and SHA-1 in ServerKeyExchange messages.
   If the client receives a ServerKeyExchange message indicating MD5 or
   SHA-1, then it MUST abort the connection with an illegal_parameter
   alert.

5.  Certificate Verify

   Clients MUST NOT include MD5 and SHA-1 in CertificateVerify messages.
   If a server receives a CertificateVerify message with MD5 or SHA-1, then
   it MUST abort the connection with illegal_parameter alert.

v2.23.0 | Report a Bug | By Email